CVE-2026-29184

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 3.1.4

Description Backstage is a framework for building developer portals. A malicious scaffolder template can bypass the log redaction mechanism, potentially exposing secrets provided through task event logs. The attack requires the ability to register a template in the catalog and a victim executing the malicious template. As a workaround, a custom permission policy can be implemented to restrict access to scaffolder task logs, allowing users to only read their own logs. Restricting template registration in the catalog to trusted users is also recommended.

Recommendations Update to version 3.1.4 or later. Implement a custom permission policy that restricts scaffolder.task.read access. Restrict template registration in the catalog to trusted users only.